rule Hrat
{
meta:
    author = "@kevthehermit"
    description = "houdini RAT and WSH Rat varients"
strings:
    $a1 = "-= config =-" wide ascii nocase
    $a2 = "installdir" wide ascii nocase
    $a3 = "runAsAdmin" wide ascii nocase
    $a4 = "get-pass" wide ascii nocase
    $a5 = "get-pass-offline" wide ascii nocase
    $a6 = "install-sdk" wide ascii nocase

    $wsh1 = "getKeyLogger()"
    $wsh2 = "getRDP()"
    $wsh3 = "getReverseProxy()"
    $wsh4 = "bin.base64"

condition:
    3 of ($a*) or 3 of ($wsh*)
}
